According to a post on the Bugtraq mailing list, somebody has been trying to post JPG images with the exploit code in them to adult usenet newsgroups. Do note that these JPGs did not replicate, so this is not a virus - although the post in Bugtraq is misleadingly titled "GDI virus". Apparently they tried to use these JPGs to download trojans to vulnerable computers...but the download sites should be down by now.

Things are heating up. Unfortunately I have a nasty feeling we might sooner or later see a massmailer worm using a JPG image as the attachment.

As we reported earlier, a vulnerability, which allows code execution, has been found in Microsoft's GDI+ JPEG decoder. Microsoft has posted detailed information on the vulnerability and affected systems in MS04-028.

A proof-of-concept exploit which executes code on the victim's computer when opening a JPG file has been posted to a public website.

I've had an interesting day at Microsoft today. In addition of some meetings, we did a live webcast for the "Security360" series. It's impressive to see how a really big company like Microsoft works. The amount of persons involved to get out just one webcast is impressive.

A spam message containing link that leads to "click here to remove" page has been distributed largely.

In addition to the fact that it sends the user's email address to the spammers it also points to a web page that asks to scroll it. This page uses Drag and Drop vulnerability in Internet Explorer so when the page is scrolled, the exploit runs a proxy backdoor. Currently it downloads and runs Backdoor.Win32.Agent.ce but since it is controlled by the spammers it could be changed.

Today we found a new type of malicious Java applet. Unlike Java Applet trojans that we have seenpreviously, Java/Binny.A uses exploit in Sun Java Runtime, and is thus capable of affecting any web browser that uses Sun Java Runtime for executing Java Applets.

This means that also those who use Mozilla or Opera are also in danger, not just users of Microsoft Internet Explorer.

If you are using Sun Java Runtime that is older than 1.41_04 please update it.

Mikko from our team is currently visiting Microsoft in Redmond. He will be doing two live webcasts while there. You can check them out on Tuesday by visiting the Microsoft webcast center. See the links here.

Sven Jaschen, the author of 30 different variants of Netsky and four different variants of Sasser worm, has been hired. German security company Securepoint hired him to work as a developer for security softwares such as firewalls.

I'm sure most people have serious doubts about a security company hiring a virus writer - and for a reason. No doubt Securepoint will have to explain their decision over and over again.

But in a way I'm happy Sven gets a second chance. After all, we really should try to rehabilitate criminals to enter normal working life again and to became a productive part of the society. Just like in real life many companies avoid hiring ex-convicts but everybody agrees somebody should do it. So in that sense we should be glad that Securepoint is doing this. I guess.

Of course, we here at F-Secure wouldn't hire him.

And we should remember that although Sven Jaschen was bad, he wasn't that bad. He apparently really saw himself as some kind of Robin Hood: writing viruses to attack other viruses written by professional viruswriters working with spammers. Sven's viruses removed viruses like Bagle and Mydoom and uninstalled spam proxies such as Mitglieder from infected computers. But of course, his viruses also caused huge amounts of damage - such as Sasser taking down X-Ray machines in hospitals in Sweden.

In a weird twist, the latest variant of Mydoom (which was found last night) drops two files to the system: one of them is the mugshot of Sven Jaschan, author of Netsky. The other is a file called About_Mydoom.txt, which contains a description of the virus itself.

The F-Secure Anti-virus database update we published on September 14th 2004 (2004-09-14_02) had a false alarm on file U2FHTML.DLL which is part of Crystal Reports. The file was detected as Mitglieder.cc.

It's the second Tuesday of the month and Microsoft has issued the latest security patches.

The most important vulnerability this time is a JPEG buffer overrun found from IE, Outlook, Office and many other products. With this, an attacker could post a picture to a website or mail it to a user, and could get his code executed as soon as the page was viewed with IE or read with Outlook.

Yesterday was the 13th anniversary of my personal antivirus career. On 13th of September, 1991, I made my first virus analysis. Or actually, started doing it. I'm sure it took several days to finish.

Back then finding a new virus was a big thing. It's hard to imagine that nowadays, with our labs receiving dozens of samples every day. I remember starting to research this 440 byte long virus, reading through reference manuals, interrupt lists and assembly manuals. We didn't even have separate testing machines at the time, so I couldn't just run the virus and monitor what it does. I ended printing out the assembly code of the binary and going through line by line.

Eventually I figured out how the virus replicates. I also noticed the virus would print out something on Friday the 13th. Based on my analysis, it would print out one character - ASCII code 151. I looked it up, and 151 seemed to be the code for the Omega character (Ω). So I named the virus Omega, and wrote a short description for it. My name stuck, and eventually other antivirus vendors started using it. Which was cool.

Six months later we set up our first real lab with isolated test machines. So I changed the date on one of the machines to Friday the 13th and infected it with Omega. I was reliefed to see it indeed did print out the Omega character.

Nowadays we have a tradition at F-Secure that once you've been ten years at the company, you get an Omega watch...

Today there appeared another Mydoom variant, the fourth one during last 2 days. This variant, Mydoom.X, is similar to 3 yesterday's variants, but is lacking the "We searching 4 work in AV industry" text. Today's Mydoom.X downloads a newer variant of the Surila backdoor.

We've received some questions on the new Nyxem variant (also known as Blackmal, Mywife, Blackworm, Blueworm and probably something else too).

We have some reports of this virus from the field (enough to make it into top 30 of our virus statistics). However, it's not even near outbreak levels at the moment...and probably won't make it there any more. The worm itself is your typical massmailer which tries to remove different antivirus and security products.

Two Russian citizens have been arrested in Australia. They are suspected for running phishing scams against Australian banks, reports Jeremy Wagstaff's blog. Apparently Westpac and Suncorp Metway were targeted.

The case sounds similar to the series of arrests of Russian, Lithuanian and Ukrainian phishers in UK in late May this year.

Today we got a sample of a new Mydoom worm variant. This variant is detected as 'W32/Mydoom.T@mm' and as 'I-Worm.Mydoom.gen' with the latest FSAV updates (2004-09-03_02). The worm is similar to previous variants. It spreads in e-mails with different subject and body texts, to Kazaa P2P (peer-to-peer) file sharing network and also drops a backdoor component that listens on port 5422. Additionally the worm can perform a DDoS (Distributed Denial of Service) attack against Microsoft's website.

Oracle has put out a public alert on several new security vulnerabilities. Some of them could allow a remote attacker to execute arbitrary code on an affected system. Ie somebody could write a network worm infecting Oracle database servers that are online.

Remembering that Slammer worm (which was the largest attack against the internet, ever) targeted MS SQL Server database servers, this thought is probably not too far-fetched.

Then again, Slammer was based on public exploit code. Such code is not available for most of these new Oracle vulnerabilities. At least yet.

In order to synchronize with other vendors naming, last night we decided to use Bagle name for the two trojans that have been spammed. Due to the fact that these are not Bagle variants but droppers that belong to a new family we are renaming them to Glieder.H and Glieder.I.

Shortly after Bagle.AK has been found, another slightly modified and recompiled version of it has been spammed. This one uses cacl.exe instead of foto.exe. The accompanying foto.htm file is simple and just runs the exe file.

We've published detection for this malware in update Version=2004-09-01_01